Security researches competing at the annual Pwn2own conference yesterday uncovered two zero-day vulnerabilities in Safari. Two teams successfully exploited the bugs they found to achieve root access to macOS, while a third attempt failed.

Eleven teams are competing for a total $1M prize pot, with three of the ten attempts to date targeting Safari …

Chaitin Security Research Lab chained together an exploit that took advantage of six separate bugs to escalate their access to root on macOS, winning a $35,000 prize.

Samuel Groß and Niklas Baumstark won $28,000 for exploiting five bugs to display a message on the Touch Bar of a 2016 MacBook Pro.

Full details of both exploits will be provided to Apple so that the bugs can be fixed before they are made public.

The conference and competition continue today, though the targets have not yet been announced.

Safari is regularly targeted in the competition, the most embarrassing success being back in 2011 against Safari 5.0.4. French security firm Vupen took just five seconds to exploit a vulnerability in the browser to gain root access to a MacBook Air, winning the machine as part of their prize. In 2014, one team successfully exploited two Safari bugs in the iOS version to take control of an iPhone 5s, while another gained root access on the Mac, though noted that OS X security was better than other platforms.

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear